Jump to content
Hak5 Forums
Sign in to follow this  
Emmynet

Any RDP Cracker in the house?

Recommended Posts

Hello house i need a tool or way i can crack RDPs for tutorial and educational purpose. I have downloaded several version of dubrute but not cracking any, dont know if any working software that can crack is available?

Share this post


Link to post
Share on other sites
Posted (edited)

The only (bodge-job) method I ever managed was;

  • Create SendKeys based VBScript to press 'yes' on a Remote Desktop Connection approval pop up
  • Copy VBScript to target machine
  • Create Scheduled Task on target machine, to run as logged in user, using PSEXEC, to run the above VBScript.
  • Send a Remote Desktop Connection request just before the above runs.
  • Profit.

This does require some pre-requisites, such as an admin account credentials.

Edited by haze1434

Share this post


Link to post
Share on other sites

HTC-Hydra can do a bruteforce on RDP.  Of course if common practice is used there shouldn't be an exposed RDP unless behind a RDP gateway.  Even if still if they follow some security, you will most likely lock the account out which will ruin the rest of your attack.  If not, Hydra can brute it with a wordlist, you will have to follow the examples and lower the thread count though or you will DOS the service.

Other than that if they did not apply a cert you can use the self signed cert you see to get the machine name inside the network and domain name.  If CredSSPSupport is off you can get the graphical desktop and see what Windows they are running.

Share this post


Link to post
Share on other sites

:: "Unknown publisher"
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\LocalDevices" /v "%HOSTNAME%;%RDGATEWAY%" /t "REG_DWORD" /d 109 /f >NUL 2>&1

:: "The identity of the remote computer cannot be verified. Do you want to connect anyway?"
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client" /v "AuthenticationLevelOverride" /t "REG_DWORD" /d 0 /f >NUL 2>&1

:: Delete old credentials from Micro$oft vault
CMD /Q /D /C cmdkey /delete:"%RDGATEWAY%" >NUL 2>&1
CMD /Q /D /C cmdkey /delete:"%HOSTNAME%" >NUL 2>&1

:: Store credentials to Micro$oft vault
CMD /Q /D /C cmdkey /add:"%RDGATEWAY%" /user:"%RDUSERNAME%" /pass:"%RDPASSWORD%" >NUL 2>&1
CMD /Q /D /C cmdkey /generic:"%HOSTNAME%" /user:"%USERNAME%" /pass:"%PASSWORD%" >NUL 2>&1

Share this post


Link to post
Share on other sites
Posted (edited)

See spoiler:

 

@ECHO OFF
:: @jOte- 2059
:: CONNECT RDP/RDGATEWAY and cleanup ...


:: SETTINGS

SET RDGATEWAY=remote.bla.com
SET RDUSERNAME=BASE\admin
SET RDPASSWORD=whatthefuck

SET HOSTNAME=TS01
SET USERNAME=BASE\admin
SET PASSWORD=whatthefuck

SET RDPFILE=%TMP%\~bb%RANDOM%.tmp

:: END SETTINGS

@ECHO OFF
CLS

:: "Unknown publisher"
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\LocalDevices" /v "%HOSTNAME%;%RDGATEWAY%" /t "REG_DWORD" /d 109 /f >NUL 2>&1

:: "The identity of the remote computer cannot be verified. Do you want to connect anyway?"
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client" /v "AuthenticationLevelOverride" /t "REG_DWORD" /d 0 /f >NUL 2>&1

:: Delete old credentials from Micro$oft vault
CMD /Q /D /C cmdkey /delete:"%RDGATEWAY%" >NUL 2>&1
CMD /Q /D /C cmdkey /delete:"%HOSTNAME%" >NUL 2>&1

:: Store credentials to Micro$oft vault
CMD /Q /D /C cmdkey /add:"%RDGATEWAY%" /user:"%RDUSERNAME%" /pass:"%RDPASSWORD%" >NUL 2>&1
CMD /Q /D /C cmdkey /generic:"%HOSTNAME%" /user:"%USERNAME%" /pass:"%PASSWORD%" >NUL 2>&1

:: Create tmpfile
CALL :createFile %HOSTNAME% %USERNAME%

:: Start tmpfile
REM START mstsc /admin %RDPFILE% 
START mstsc %RDPFILE%

:: Wait 20 seconds and cleanup
TIMEOUT /NOBREAK 30 >NUL
CALL :cleanup
GOTO :EOF

:cleanup
:: Delete stored credentials from Micro$oft vault
CMD /Q /D /C cmdkey /delete:"%RDGATEWAY%" >NUL 2>&1
CMD /Q /D /C cmdkey /delete:"%HOSTNAME%" >NUL 2>&1

:: Restore "Unknown publisher"
REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client" /v "AuthenticationLevelOverride" /f >NUL 2>&1

:: Restore "The identity of the remote computer cannot be verified. Do you want to connect anyway?"
REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\LocalDevices" /v "%HOSTNAME%;%RDGATEWAY%" /f >NUL 2>&1

:: Delete tmpfile
DEL /F /Q %RDPFILE% >NUL 2>&1
GOTO :EOF

:createFile
(
ECHO screen mode id:i:2
ECHO use multimon:i:0
ECHO desktopwidth:i:1920
ECHO desktopheight:i:1080
ECHO session bpp:i:32
ECHO winposstr:s:0,3,0,0,800,600
ECHO compression:i:1
ECHO keyboardhook:i:2
ECHO audiocapturemode:i:0
ECHO videoplaybackmode:i:1
ECHO connection type:i:7
ECHO networkautodetect:i:1
ECHO bandwidthautodetect:i:1
ECHO displayconnectionbar:i:1
ECHO enableworkspacereconnect:i:0
ECHO disable wallpaper:i:0
ECHO allow font smoothing:i:0
ECHO allow desktop composition:i:0
ECHO disable full window drag:i:1
ECHO disable menu anims:i:1
ECHO disable themes:i:0
ECHO disable cursor setting:i:0
ECHO bitmapcachepersistenable:i:1
ECHO full address:s:%1
ECHO audiomode:i:0
ECHO redirectprinters:i:0
ECHO redirectcomports:i:0
ECHO redirectsmartcards:i:1
ECHO redirectclipboard:i:1
ECHO redirectposdevices:i:0
ECHO autoreconnection enabled:i:1
ECHO authentication level:i:2
ECHO prompt for credentials:i:0
ECHO negotiate security layer:i:1
ECHO remoteapplicationmode:i:0
ECHO alternate shell:s:
ECHO shell working directory:s:
ECHO gatewayhostname:s:%RDGATEWAY%
ECHO gatewayusagemethod:i:2
ECHO gatewaycredentialssource:i:4
ECHO gatewayprofileusagemethod:i:1
ECHO promptcredentialonce:i:0
ECHO gatewaybrokeringtype:i:0
ECHO use redirection server name:i:0
ECHO rdgiskdcproxy:i:0
ECHO kdcproxyname:s:
ECHO username:s:%2
)>%RDPFILE%

GOTO :EOF

:END
EXIT 1

Edited by Foxtrot
Add spoiler tags for large content

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×